feat: add grafana test setup with oauth2

hosts/ward/default.nix

@@ -7,6 +7,7 @@
 }: let
   inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
   authDomain = "auth.${personalDomain}";
+  grafanaDomain = "grafana.${personalDomain}";
 in {
   imports = [
     nixos-hardware.common-cpu-intel
@@ -60,7 +61,91 @@ in {
   };
 
   microvm.vms.test.config = {
+    lib,
+    config,
+    ...
+  }: {
     rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
+
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
+    networking.nftables.firewall = {
+      zones = lib.mkForce {
+        #local-vms.interfaces = ["local-vms"];
+        proxy-sentinel.interfaces = ["proxy-sentinel"];
+        sentinel = {
+          parent = "proxy-sentinel";
+          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+        };
+      };
+
+      rules = lib.mkForce {
+        sentinel-to-local = {
+          from = ["sentinel"];
+          to = ["local"];
+          allowedTCPPorts = [3001];
+        };
+      };
+    };
+
+    rekey.secrets.grafana-secret-key = {
+      file = ./secrets/grafana-secret-key.age;
+      mode = "440";
+      group = "grafana";
+    };
+
+    services.grafana = {
+      enable = true;
+      settings = {
+        analytics.reporting_enabled = false;
+        users.allow_sign_up = false;
+
+        server = {
+          domain = grafanaDomain;
+          root_url = "https://${config.services.grafana.settings.server.domain}";
+          enforce_domain = true;
+          enable_gzip = true;
+          http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
+          http_port = 3001;
+          # cert_key = /etc/grafana/grafana.key;
+          # cert_file = /etc/grafana/grafana.crt;
+          # protocol = "https"
+        };
+
+        security = {
+          disable_initial_admin_creation = true;
+          secret_key = "$__file{${config.rekey.secrets.grafana-secret-key.path}}";
+          cookie_secure = true;
+          disable_gravatar = true;
+          hide_version = true;
+        };
+
+        auth = {
+          signout_redirect_url = "https://sso.nycode.dev/if/session-end/grafana/";
+          disable_login_form = true;
+        };
+
+        "auth.generic_oauth" = {
+          enabled = true;
+          name = "Kanidm";
+          icon = "signin";
+          allow_sign_up = true;
+          auto_login = false;
+          client_id = "grafana";
+          client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}";
+          scopes = "openid profile email";
+          login_attribute_path = "prefered_username";
+          auth_url = "https://${authDomain}/ui/oauth2";
+          token_url = "https://${authDomain}/oauth2/token";
+          api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo";
+          use_pkce = true;
+          allow_assign_grafana_admin = true;
+        };
+
+        # TODO provision
+      };
+    };
   };
 
   microvm.vms.nginx.config = {
@@ -70,9 +155,7 @@ in {
   }: {
     rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
 
-    extra.wireguard.proxy-sentinel = {
-      client.via = "sentinel";
-    };
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";
 
     networking.nftables.firewall = {
       zones = lib.mkForce {

hosts/ward/secrets/grafana-secret-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 S365Ptmx5jGBBvN7q/nxHZWLT4wsHYey5TSIvqfKqXs
+MODSBeb8Kt0CfFdTgPskMFVaen28O5N5ql7aqxJ+YaQ
+-> piv-p256 xqSe8Q A8G1Ljc2V/ay90ZiITuXGDxRaH5R/QqDsSpXbsYQFFjx
+nE6ODZqg4QAujfWOeTRD/S0m/8bRadTqSCQa5sVIJ3w
+-> <*^9;-grease X4qEn "qK,G4} 5Gp'jn!Q
+bU3aA07kpeHbqAoFMrp4mWj3/iPH67VZpE+mW2Z9huxze+Jn1js0p/hV2fj2jlWm
+/DZP
+--- vSYl/yA0H1WBqkDI+lu8o1+/l7pOt5wFwb2cLuCDWFQ
+¤YÊBç'íŽ;HI
ët%‹¼?{e8ÞÀïV€B«QýFÌ»‡eí>ìmæ(øõG†Âì̸„9ßͺȘ"‘Lû2zA~O€F³jsÂ"¸